Skip to content Skip to navigation

Getting a Better Handle on Mixed Data

October 24, 2013
by John DeGaspari
| Reprints
Locating PHI and PII in all of its forms

As an organization that serves the health needs of Native American tribes in rural Northern California, the Sacramento, Calif.-based California Rural Indian Health Board (CRIHB) serves a diverse population. Under its mandate to promote unity and formulate a common policy on American Indian healthcare issues, it is responsible for about 30 tribes; and, explains Adam Culich, information systems officer of CRIHB, “Because the needs of, and relationship with, each tribe are so unique, we have varying degrees of contact with around 100 providers and dozens of local hospitals and clinics.”

As noted by Culich, one big challenge of his organization is the storage of high volumes of mixed data, yet it had no clear idea of where that data existed on its network. That made it hard to comply with Health Insurance Portability and Accountability (HIPAA) Act rules or to prevent data breaches. CRIHB had about a terabyte of mixed data on its network, yet it had no way of knowing, with any degree of certainty, where it lived. “Our only option to organize that information would have required a manual audit of hundreds of thousands of files, which would have taken, literally, years,” Culich says. In February, it installed a solution (Sensitive Data Manager, supplied by Identity Finder, LLC in New York), that Culich says has allowed the organization to locate all data, regardless of the type of file or where it may exist.

Healthcare Informatics recently asked Culich about the challenges of managing the data in his organization. Excerpts of the interview are below.

What are the types or volumes of data you must manage? How long do you hold on to data?

Because our files span over three decades, we have a wide range of data types: PDFs (text and image-based), Excel, Word, text files, xml files. Prior to using Sensitive Data Manager, it was very challenging to locate every file. We found that many grant numbers on the similar numerical characteristics as Social Security numbers, which could produce a false positive in an audit. This is no longer an issue.

The trickiest files are image-based PDFs that originate from a scanner. They are very difficult to locate, as you can’t search for the text within the document. We have tens-of-thousands of these types of files.  Today, managing them is much easier. We also had difficulty managing data within Sequel. 

Does your organization use an EHR [electronic health record]? Which one? How well does the data management solution integrate with other software in your organization?

We support and run EHRs for the tribes we service, using NextGen, which runs on Microsoft SQL Server. Sensitive Data Manager integrates with NextGen very well and makes the auditing process very easy. 

Has your organization ever experienced a data breach or been audited?

No data breaches. We recently had a risk analysis performed by a well-known third party for meaningful use. They were quite impressed at our ability to find and secure PHI [protected health information] in the network.

What do you see as its biggest benefits for your organization?

The biggest benefit is having a visual of what information is sitting out there on our network. We had a terabyte of information and there was no way to realistically identify the whereabouts of every file. A manual audit would have taken, literally, years to complete, with the status of our data changing continuously throughout the process. 

With Sensitive Data Manager, the auditing process took about four days, which uncovered PHI and PII [personally identifiable information] places that weren’t 100 percent secure. As a result, we were able to properly store that data and we now have the ability to conduct accurate self-audits on a consistent basis.

We are also able to proactively monitor correct filing errors as they happen. Sensitive Data Manager allowed us to discover the wide variances of filing techniques by employees over the years. A lot of those filing mistakes occurred prior to HIPAA/HITECH, and we weren’t able to correct non-compliant filing issues because we didn’t know what we had. 

Can you give a “before-and-after” scenario or example that illustrates how CRIHB is managing its data better?

Prior to using Sensitive Data Manager, we had PII on our network that pre-dated HIPAA and often existed in obsolete versions of NotePad and WordPad. We had documents were accessible by parties that should not have had access. Now, we know where every file is and that each one is properly secured.

We also had a difficult time maintaining and enforcing consistent filing procedures, because we didn’t have the network visibility to see where problems existed. Now we can quickly correct issues because we can see them. Further, we can give kudos to departments that are doing a great job managing data. Our employees know their filing practices can be monitored, which encourages better handling.

We’re now in a position to expand our services to the tribes in our network. We are looking into deploying Sensitive Data Manager around our WAN to conduct audits for tribes in our network, which are typically underfunded and understaffed. 

Has CHRIB modified its workflows as a result of using this solution?

Yes. We can now conduct on-going audits. No system of checks and balances existed previously; today it does exist because we can account for all data on the network. We can more accurately structure file shares.